A recap of the past week's security news touches on Facebook, Nasdaq and the Super Bowl.
This past week in IT security ended with some big news -Nasdaq OMX,
the company that owns and operates the Nasdaq Stock Market, has been hit with
malware during the past year.
According to reports, the United States Secret Service and FBI are investigating
, which failed to compromise Nasdaq's trading platform.
Nonetheless, malware did infect part of the Nasdaq OMX
network known as the Director's Desk, which allows company boards to
communicate by securely storing and sharing documents.
The trading platform architecture "operates independently" from
Web-facing services like Director's Desk, Nasdaq OMX
the New York Times
, adding that "at no point was any of Nasdaq OMX's
operated or serviced trading platforms compromised."
News of the attack on Nasdaq is just one example of malicious activity highlighted
during the week. Security researchers also noted several
being used to lock users out of their accounts and forcing
them to take questionnaires if they want to regain access.
"Once again cyber-criminals are using social engineering to trick
victims and infect them with malware," said Luis Corrons, technical
director of PandaLabs.
an unrelated vulnerability
discovered by two students at Indiana
University that allowed an attacker
to steal an authentication token sent to legitimate sites when the sites request
to share data with Facebook. If the attacker steals that token, he or she
can impersonate the legitimate site and access user information.
"Bing.com by default has the permission to access
any Facebook user's basic information such as name, gender, etc., so
our malicious website is able to deanonymize the users by impersonating
Bing.com," one of the students, Rui Wang, told eWEEK in an e-mail.
"In addition, due to business needs, there are many websites requesting
more permissions, including access to a user's private data, and publishing
content on Facebook on her behalf. Therefore, by impersonating those
websites (e.g., NYTimes, ESPN, YouTube, and FarmVille, etc.), our website can
obtain the same permissions to steal the private data or post bogus messages on
Facebook on the user's behalf."
this past week, this time hitting Websites belonging to the
Yemeni and Egyptian governments. News also hit that reputed
spammers had taken over
thousands of IP addresses assigned to the wife of
Egyptian President Hosni Mubarak and the science center that bears her name.
The move is typical of spammers trying to get their hands on Internet address
space that has not been blacklisted, security pros told eWEEK.
In the realm of critical infrastructure security, eWEEK examined a U.S. Department
of Energy audit that took a look at cyber-security efforts related to the
nation's power grid. According to the audit, many businesses are not
properly identifying critical assets, something that underscores the challenge
of a risk-based approach to security in situations where businesses -in a
desire to cut costs -have an incentive
to underreport risk.
Also during the week, the FBI arrested an Arizona
man on suspicion of fraud and computer tampering in connection with interrupting the
2009 Super Bowl
broadcast with a clip from an adult movie. Frank Tanori
Gonzalez of Marana, Ariz.,
was arrested at roughly 5:30 p.m.
Feb. 4, according to reports. In preparation for the big game, researchers
at PC Tools
advised users to be wary of attacks taking advantage of
interest in the Super Bowl game today.